Bug 163514
Summary: | newer yet outdated policy stops operation of mozilla-bin, yum, rhn-apllet, smbd ... | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Timms <dtimms> | ||||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 3 | ||||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2005-07-20 15:57:45 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
David Timms
2005-07-18 14:18:34 UTC
The latest policy should be selinux-policy-targeted-1.17.30-3.19 Please upgrade to that. Created attachment 116915 [details] var/log/messages where audit is challenging winbindd OK, I note that the s-p-t installed is newer (larger=1.17.31-1) version, but rpm -q --info gives an older date(tweety compile in sept/oct 2004). rpm/yum think the installed one is newer, so a rpm -Uvh --oldpackage selinux-policy-targeted-1.17.30-3.19 got it installed. The machine was fresh installed in about December, and far as I know has had updates done using only yum (with the default fedora and updates-released repos). So it seems the newer kernel version showed up the fact that the incorrect s-p-t was installed, but I don't know whether this would happen to other machines. Server was rebooted this evening, and now all items above are allowed to do their thing. However, it seems that winbindd is now getting stopped. Also tried reinstalling policy (Uvh) and the kernel (-e , ivh), and reboot but hasn't fixed that. Is this the same as bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143564 (which is resolved with an older redhat 4 s-p-t 1.17.30-2-88) ? (see attachment if winbind is new). Are you running your own version of samba? The standard location for the the tdb file is under /var/cache/samba not /var/lib. Dan Created attachment 116964 [details]
winbind audit problems after correcting smb lock directory
rpm -q --info samba
..
Version : 3.0.14a Vendor: (none)
Release : 1 Build Date: Fri 15 Apr 2005 16:25:12 EST
Install Date: Sun 08 May 2005 00:36:28 EST Build Host: fc3.plainjoe.org
Group : System Environment/Daemons Source RPM: samba-3.0.14a-1.src.rpm
So no, not a redhat samba, but instead a fc3 build by samba.org. I confirm that
the package was compiled with default lock directory = /var/lib/samba
I also checked that the fc3 samba-common-3.0.10-1.fc3.i386.rpm definitely has a
default of /var/cache/samba as you describe. Hence you are correct diagnosis of
the secondary fault/problem! Thanks :)
Feel welcome to close the bug as invalid, although with this _different_ samba
corrected to use /var/cache/samba, the attached selinux audit logs show the
policy stopping winbindd from starting, but with different errors. winbind does
start up OK on a separate test machine with the samba-3.0.10-1 installed.
I still think you have a labeling problem. Those files that winbind is trying to access should not be labeled var_t, they should be in the /var/cache/samba tree and labeled samba_var_t. Please restorecon the /var tree restorecon -R -v /var Or do the entire system touch /.autorelabel reboot Created attachment 116981 [details]
audit denieds on winbindd after suggested fixes.
Dan, thanks very much for your help, I am still not quite there yet !
I'll mark this as resolved current release, since this later problem is really
unrelated to the bug title.
|